[00:00.760 --> 00:02.580]  Hello, DEF CON!
[00:02.740 --> 00:08.640]  As my late mother used to say, I know I'm running with the right crowd now.
[00:08.660 --> 00:12.580]  Last year, I was able to attend DEF CON in person.
[00:12.780 --> 00:16.220]  And back at that time, you could do that.
[00:16.220 --> 00:20.040]  I'm proud that I was the first United States Senator to speak.
[00:20.060 --> 00:25.820]  Now I'm proud to be the first United States Senator to speak remotely at DEF CON.
[00:25.820 --> 00:33.040]  Last year, I was able to walk around the voting village and see hackers, young and old alike, taking voting machines apart.
[00:33.040 --> 00:36.060]  They were learning and teaching each other.
[00:36.060 --> 00:43.300]  I even saw one voting machine on which hackers had installed the video game Doom.
[00:43.640 --> 00:47.060]  I sure wish Mitch McConnell could have seen that.
[00:47.180 --> 00:54.940]  He'd have a lot harder time pretending that everything is just fine with election security.
[00:54.940 --> 01:02.920]  I bet there are a whole lot of bad guys around the world who want to install their own version of Doom on our voting machines.
[01:02.920 --> 01:09.400]  Except their version would be a lot less fun, and it wouldn't be a game at all.
[01:09.500 --> 01:15.820]  A month before last year's DEF CON, the House of Representatives passed a historic election security bill.
[01:15.820 --> 01:18.060]  It was called the SAFE Act.
[01:18.060 --> 01:26.580]  I'm proud to say that I wrote portions of that bill, including parts of the bill that require risk-limiting audits for all federal elections
[01:26.580 --> 01:39.320]  and created mandatory federal cybersecurity standards for voting machines, electronic poll books, voter registration databases, and election reporting websites.
[01:39.320 --> 01:45.420]  The SAFE Act reflects the consensus view of election security experts.
[01:45.420 --> 01:59.560]  It includes people from the DEF CON community who have said loud and clear that safe and secure elections depend on hand-marked paper ballots and routine risk-limiting audits.
[01:59.560 --> 02:12.620]  While the House did its job and passed a good election security bill, our efforts to secure election reform has been stalled in the Senate.
[02:12.620 --> 02:20.120]  Stalled because of Mitch McConnell, who has made it clear that he is going to block any election-related legislation.
[02:20.160 --> 02:26.320]  Because of COVID-19, the world seems like it has turned upside down since last year.
[02:26.320 --> 02:34.340]  One thing has stayed the same. Mitch McConnell still won't do a thing to make our elections more secure.
[02:34.340 --> 02:45.260]  Last year, the top threat was electronic voting machines. They're still a problem, but now I'm especially concerned about Internet voting.
[02:45.260 --> 02:59.380]  The coronavirus pandemic has presented extraordinary problems for state and local administrators and for American voters who justifiably don't want to have to put their health at risk to vote.
[02:59.380 --> 03:09.340]  But it has also been a huge opportunity for snake oil salesmen peddling insecure Internet voting technology.
[03:09.340 --> 03:16.620]  These companies have gone out and preyed on state and local officials who are desperate for options during this pandemic.
[03:16.620 --> 03:30.720]  And what the snake oil salesmen have essentially been selling is kind of magic beans, promising that voters with disabilities and our men and women in uniform overseas can vote securely using their smartphones.
[03:30.720 --> 03:39.700]  As this community knows, election security experts have been so clear that Internet voting is not secure.
[03:39.700 --> 03:45.580]  Internet voting is dangerous and it's a threat to American democracy.
[03:45.580 --> 03:54.980]  The allure of secure Internet voting is obviously understandable, particularly for officials who haven't had training in cybersecurity.
[03:55.220 --> 04:10.760]  I'm sure you all by now have heard somebody say, well, if the tech companies can figure out a way to allow people to securely pay their bills online or transfer money from a smartphone, why can't they figure out the problem of Internet voting?
[04:10.760 --> 04:16.600]  Coincidentally, this is similar to what FBI officials have said about encryption backdoors.
[04:16.960 --> 04:32.620]  Their view is if America can put a man on the moon, why can't our technology companies build encryption backdoors that are secure against China and Russian hackers and allow law enforcement agencies to go after the bad guys?
[04:32.620 --> 04:41.980]  What's needed, though, is for government to make sure that you don't see bad ideas advance.
[04:41.980 --> 04:57.740]  And on both topics, I turn to actual cybersecurity experts, to cryptographers and computer scientists who've made it clear that secure encryption backdoors and insecure Internet voting are both beyond the realm of the possible right now.
[04:57.740 --> 05:07.100]  The experts just don't know how to build these things safely, no matter how much government officials want them to exist.
[05:07.160 --> 05:14.500]  So let me talk for just a brief few minutes about one Internet voting company named Votes.
[05:14.500 --> 05:21.300]  This company convinced West Virginia to allow the use of their smartphone voting app.
[05:21.300 --> 05:27.460]  After a pilot in West Virginia, the company expanded to Utah, Colorado and my home state of Oregon.
[05:27.460 --> 05:32.500]  That's when I really started digging in to what this company was about.
[05:32.500 --> 05:37.300]  The first thing I learned is that Votes had never been subjected to an independent audit.
[05:37.300 --> 05:51.140]  The company was going out and about telling election officials that it had passed several audits with flying colors, but it never told those officials that the audits had been handpicked and paid for by Votes financial backers.
[05:51.140 --> 05:56.720]  The people who conducted the audits had no experience at all with election security.
[05:56.720 --> 06:02.920]  Officials in Oregon relied in good faith on the fact that they thought that Votes had been audited.
[06:02.920 --> 06:06.900]  But state and local officials will tell you they're not cyber experts.
[06:06.900 --> 06:18.540]  They don't have graduate degrees in cybersecurity, and so they didn't understand the difference between the bogus audits that Votes had passed and a rigorous independent audit by experts.
[06:18.540 --> 06:22.640]  Of course, audits don't need to be a fancy official thing.
[06:22.640 --> 06:32.440]  This community has demonstrated that individual researchers, college students, hobbyists can discover important security issues outside of a formal audit.
[06:32.440 --> 06:39.140]  In 2018, a University of Michigan student as part of a class project decided to examine Votes.
[06:39.140 --> 06:43.300]  That student was looking to see if the company's security claims held up.
[06:43.300 --> 06:50.020]  The company's app called Home when the student tried to examine it is what was considered.
[06:50.020 --> 06:57.720]  As media reports have confirmed, the company reported this directly to the West Virginia Secretary of State, who then called the FBI.
[06:57.740 --> 07:07.420]  However, what hasn't been reported is the fact that Votes did not believe that hackers in China or Russia were attacking West Virginia's elections.
[07:07.420 --> 07:20.940]  The company's CEO told my staff that he reported the incident to government officials specifically because the University of Michigan is home to researchers who have a long history of criticizing voting technology companies.
[07:20.940 --> 07:23.200]  Let that sink in for a second.
[07:23.200 --> 07:36.260]  The company reported a college student, a security researcher engaged in good faith security research to the government because the company had reason to believe that the researcher might be critical of the company.
[07:36.260 --> 07:40.240]  This is absolutely outrageous conduct.
[07:40.240 --> 07:46.760]  Security researchers perform an enormous public service by volunteering their time to find and report problems.
[07:46.760 --> 08:00.700]  I for one would prefer that the first person to find a security problem in a voting system used in real elections is a researcher working in the public interest and not a hacker working for Russia or China.
[08:00.700 --> 08:11.360]  Companies should be rolling out the red carpet for independent researchers, including the DEF CON voting village, instead of trying to bully them as Votes did.
[08:11.360 --> 08:17.340]  Thankfully, Votes' scare tactics were not successful in scaring away other researchers.
[08:17.340 --> 08:25.600]  Earlier this year, a team from MIT conducted a thorough audit of Votes' product and found it riddled with basic flaws.
[08:25.600 --> 08:32.980]  That not only proved that the company's security claims were false, but that the company's prior hand-picked audits were a farce.
[08:32.980 --> 08:40.860]  I commend the team at MIT for showing yet again that internet voting is dangerous.
[08:40.860 --> 08:46.920]  This November, Americans will vote in what I believe is the most important election of our lifetimes.
[08:46.920 --> 08:57.080]  Since Mitch McConnell has blocked several of my bills to secure our elections from cyber threats and ensure that every registered voter can vote safely in this pandemic,
[08:57.080 --> 09:02.740]  let me close by mentioning just a few of the security issues that concern me the most.
[09:02.740 --> 09:17.420]  E-poll book failures, particularly failures by states in checking voters in a polling booth, have repeatedly failed, leading to lengthy delays for in-person voting.
[09:17.420 --> 09:32.140]  There are no federal cybersecurity standards for these devices, and I remain deeply concerned that e-poll book failures, whether caused by malfunctions, human error, or cyber attacks, could result in major problems.
[09:32.140 --> 09:46.940]  Internet voting. While most officials now seem to realize that votes is insecure snake oil, 31 states continue to permit overseas and military voters to return marked ballots by email, fax, or over the internet.
[09:46.940 --> 09:59.340]  As far as I'm concerned, this is the weakest link in our election infrastructure, as voters and election officials have no way of knowing if these electronically transmitted ballots have been tampered with by hackers.
[09:59.340 --> 10:07.380]  In close races, email ballots can be the deciding factor, which is something that should worry everybody.
[10:07.380 --> 10:20.920]  Election night reporting websites. There continue to be no cybersecurity standards for reporting websites, despite the fact that a hack could create massive chaos by misleading the public about the election winner.
[10:20.920 --> 10:27.060]  Years ago, hackers went after reporting sites in the Ukraine, so it's not like this ought to be a surprise.
[10:27.060 --> 10:37.320]  And finally, I'm worried that Donald Trump and his new political hack of a postmaster general are gunning for the U.S. Postal Service.
[10:37.320 --> 10:47.540]  They want to make voting by mail less reliable, slow down election results, and allow Donald Trump to make baseless claims about the election being rigged.
[10:47.540 --> 10:52.800]  So there are plenty of security issues for all of us to stay up late at night.
[10:52.800 --> 11:04.140]  But there are still reasons for hope. First, the fact that all of you white hat hackers are willing to spend your time trying to make our elections safer is, in my view, an enormous asset.
[11:04.140 --> 11:16.620]  I've been so impressed by the energy and creativity of the voting village and the young people who are working with Alex Halderman and Harry Hurst and Matt Blaze and everybody who makes this possible.
[11:16.620 --> 11:25.080]  Second, there seems to be a gradual acceptance by the government and some vendors that security researchers are not the enemy.
[11:25.080 --> 11:36.400]  Initiatives like the University of Chicago's election cyber surge, which aims to connect hackers with election officials, sound like promising ways to bring expertise to those who need it.
[11:36.400 --> 11:49.620]  I'm also encouraged that the cybersecurity and the infrastructure security agency put out a very thoughtful guide for how election officials can work with security researchers when it comes to identifying and reporting vulnerabilities.
[11:49.960 --> 12:00.160]  And God forbid I say anything complimentary about election vendors like ES and S after they lied to the public repeatedly about the security of their products.
[12:00.160 --> 12:09.660]  But the fact is you do see them at black hat just two years after they asked the Senate Intelligence Committee to investigate the voting village.
[12:09.660 --> 12:19.720]  That's a pretty stark contrast. Everybody is better off if government and election vendors see security researchers as a resource instead of a threat.
[12:19.720 --> 12:33.580]  So it does give me some measure of hope that even though Donald Trump and too many in Congress still refuse to take election security seriously, that there are people doing good work to make a difference where they can.
[12:33.580 --> 12:45.720]  And believe me, our elections need all the help they can get. And I just want to close by making it clear that we are going to keep up the fight for better election security in Washington, D.C.
[12:45.720 --> 13:00.480]  And my view is that political change doesn't start in Washington, D.C. and trickle down. It basically bubbles up when the grassroots, particularly when it comes to technology, do the talking.
[13:00.480 --> 13:10.220]  So don't stop fighting to secure our elections. Our democracy depends on it. And good luck to everybody in this crucial, crucial cause.
